Posted Updated Writeup13 minutes read (About 1957 words)

XMUTCTF 2021 Writeup 0x1

Rank2

某校校赛,放到博客上水水,(为什么要水?题目很基础,对CTF感兴趣的可以看看)

Misc

签到

img

战队成立的日期

word

img

Word文字上个色

flag{code_monster_word_hide}

哦?队标!(二)

img

看文件头,发现是 FF D8 FF E0(jpeg)格式,改后缀,得到小恐龙

img

最后,右键属性打开得到flag

img

pdf

img

熟悉的pdf题,转成Word,把图片挪开即可

img

flag{xmutsec_pdf_hide}

你对程序熟悉吗

img

运行程序,回显 Maybe flag in Resource! 使用 Resource Hacker 打开

在窗体Label处发现 Hex 编码后的 flag

img

解密后得到一半flag a_nice_place}

img

最后在文件末尾处发现逆序后的另一半flag

img

flag{this_is_a_nice_place}

哥谭恶梦

img

hex打开,发现文件头被修改了,拉到文件尾,输入正确值

img

img

压缩包解压后得到

img

仔细看可以发现password.txt里的内容

解码过程:Hex->Str->base32->base64,解出来的值就是 第二重梦境.zip 的密码

密码:getan

img

第二重梦境.zip 内容 emo.zip(有密码)

img

翻了半天,发现密码在文件尾╰(‵□′)╯

img

解压后得到一个视频,在视频第47帧的时候出现一个BV号

img

输入视频地址,查看留言板得到flag

img

flag{This_is_a_getan_emeng}

你会倒立洗头吗

img

题目打开,发现是一堆十六进制编码

img

Winhex打开拉到末尾发现文件头为zip,每俩位反转一下,在总体反一下

img

exp

1
2
3
4
5
6
str = "那坨hex"
flag = "" 
for i in range(len(str),0,-2): 
    t=str[i-2:i] 
    flag=flag+t 
print(flag)

脚本跑出来后,解压得到一张图片。图片内容为flag

img

flag{xmut_sec_daoli_xitou}

简单的流量分析

img

题目得到一堆键位表,写个脚本跑一下就好了0009

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
000f
0004
000a
202f 
201C
0027 
0018 
002D
2004
0015
0008
002D
0019
0008
0015
001C
002D
0011
001E
0006
0008
2030

exp

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
key="0009 000f 0004 000a 202f 201C 0027 0018 002D 2004 0015 0008 002D 0019 0008 0015 001C 002D 0011 001E 0006 0008 2030"
normalKeys = {
    "04":"a", "05":"b", "06":"c", "07":"d", "08":"e",
    "09":"f", "0a":"g", "0b":"h", "0c":"i", "0d":"j",
     "0e":"k", "0f":"l", "10":"m", "11":"n", "12":"o",
      "13":"p", "14":"q", "15":"r", "16":"s", "17":"t",
       "18":"u", "19":"v", "1a":"w", "1b":"x", "1c":"y",
        "1d":"z","1e":"1", "1f":"2", "20":"3", "21":"4",
         "22":"5", "23":"6","24":"7","25":"8","26":"9",
         "27":"0","28":"","29":"","2a":"", "2b":"\t",
         "2c":"","2d":"-","2e":"=","2f":"[","30":"]","31":"\\",
         "32":"","33":";","34":"'","35":"","36":",","37":".",
         "38":"/","39":"","3a":"","3b":"", "3c":"","3d":"",
         "3e":"","3f":"","40":"","41":"","42":"","43":"",
         "44":"","45":""}
shiftKeys = {
    "04":"A", "05":"B", "06":"C", "07":"D", "08":"E",
     "09":"F", "0a":"G", "0b":"H", "0c":"I", "0d":"J",
      "0e":"K", "0f":"L", "10":"M", "11":"N", "12":"O",
       "13":"P", "14":"Q", "15":"R", "16":"S", "17":"T",
        "18":"U", "19":"V", "1a":"W", "1b":"X", "1c":"Y",
         "1d":"Z","1e":"!", "1f":"@", "20":"#", "21":"$",
          "22":"%", "23":"^","24":"&","25":"*","26":"(","27":")",
          "28":"","29":"","2a":"", "2b":"\t","2c":"",
          "2d":"_","2e":"+","2f":"{","30":"}","31":"|","32":"","33":"\"",
          "34":":","35":"","36":"<","37":">","38":"?","39":"","3a":"",
          "3b":"", "3c":"","3d":"","3e":"","3f":"","40":"",
          "41":"","42":"","43":"","44":"","45":""}
a = key.split(' ')
flag=""
t=""
for i in range(len(a)):
    t = a[i].lower()
    if(t[:2] == "20"):
        flag += shiftKeys[t[2:]]
    else:
        flag += normalKeys[t[2:]]
print(flag)

img

flag{Y0u-Are-very-n1ce}

审查日志,就这吗

文件打开,一堆log

当状态为500的时候出现了base64编码,解码一下即是flag

flag{YouShouJiuXing}

你会破解密码吗

img

flag文件打开,发现flag(base64后的)

直接上脚本跑

exp

1
2
3
4
5
6
import base64 str="MDAgMDAgMDAgMDAgMDAgMDAgMDAgMDAgMDAgMDAgMDAgMDAgMDAgMDAgMDAgMDA=,MDAgMDAgMDAgMDAgMDAgMDAgMDAgMDAgMDAgMDAgMDAgMDAgMDAgMDAgMDAgMDA=,MDAgMDAgMDAgMDAgMDAgMDAgMDAgMDAgMDAgMDAgMDAgMDAgMDAgMDAgMDAgMDA=,MDAgMDAgMDAgMDAgMDAgMDAgMDAgMDAgMDAgMDAgMDAgMDAgMDAgMDAgMDAgMDA=,MDAgMDAgMDAgMDAgMDAgMDAgMDAgMDAgMDAgMDAgMDAgMDAgMDAgMDAgMDAgMDA=,MDAgMDAgMDAgMDAgMDAgMDAgMDAgMDAgMDAgMDAgMDAgMDAgMDAgMDAgMDAgMDA=,MDAgMDAgMDAgMDAgMDAgMDAgMDAgMDAgMDAgMDAgMDAgMDAgMDAgMDAgMDAgMDA=,MDAgMDAgMDAgMDAgMDAgMDAgMDAgMDAgMDAgMDAgMDAgMDAgMDAgMDAgMDAgMDA=,MDAgMDAgMDAgMDAgMDAgMDAgMDAgMDAgMDAgMDAgMDAgMDAgMDAgMDAgMDAgMDA=,NTAgNEIgMDMgMDQgMTQgMDAgMDEgMDAgMDAgMDAgMzIgOUYgN0MgNTMgMkQgMEQ=,NDYgNkMgMkYgMDAgMDAgMDAgMjMgMDAgMDAgMDAgMDggMDAgMDAgMDAgNjYgNkM=,NjEgNjcgMkUgNzQgNzggNzQgMjcgMEEgNTcgM0QgMDEgOUUgMjYgMDIgQUUgN0U=,REMgQjIgMTkgQjYgNDEgNUUgQzkgMzUgM0YgMDEgQkMgNjIgNEMgOUUgN0QgRUE=,OUYgMDUgNEQgMDcgMUIgOTEgMkYgODMgNDUgNTIgRUYgREEgOTQgRjMgNjYgNDM=,Q0IgQjYgMTggRkEgQjAgNTAgNEIgMDEgMDIgM0YgMDAgMTQgMDAgMDEgMDAgMDA=,MDAgMzIgOUYgN0MgNTMgMkQgMEQgNDYgNkMgMkYgMDAgMDAgMDAgMjMgMDAgMDA=,MDAgMDggMDAgMjQgMDAgMDAgMDAgMDAgMDAgMDAgMDAgMjAgMDAgMDAgMDAgMDA=,MDAgMDAgMDAgNjYgNkMgNjEgNjcgMkUgNzQgNzggNzQgMEEgMDAgMjAgMDAgMDA=,MDAgMDAgMDAgMDEgMDAgMTggMDAgNDkgNkMgRUEgMjEgNEYgRTQgRDcgMDEgMjQ=,MEEgMTUgODQgNEYgRTQgRDcgMDEgMjYgNDMgQkYgMTYgNEYgRTQgRDcgMDEgNTA=,NEIgMDUgMDYgMDAgMDAgMDAgMDAgMDEgMDAgMDEgMDAgNUEgMDAgMDAgMDAgNTU=,MDAgMDAgMDAgMDAgMDA=" #str="MDAgMDAgMDAgMDAgMDAgMDAgMDAgMDAgMDAgMDAgMDAgMDAgMDAgMDAgMDAgMDA,MDAgMDAgMDAgMDAgMDAgMDAgMDAgMDAgMDAgMDAgMDAgMDAgMDAgMDAgMDAgMDA,MDAgMDAgMDAgMDAgMDAgMDAgMDAgMDAgMDAgMDAgMDAgMDAgMDAgMDAgMDAgMDA,MDAgMDAgMDAgMDAgMDAgMDAgMDAgMDAgMDAgMDAgMDAgMDAgMDAgMDAgMDAgMDA,MDAgMDAgMDAgMDAgMDAgMDAgMDAgMDAgMDAgMDAgMDAgMDAgMDAgMDAgMDAgMDA,MDAgMDAgMDAgMDAgMDAgMDAgMDAgMDAgMDAgMDAgMDAgMDAgMDAgMDAgMDAgMDA,MDAgMDAgMDAgMDAgMDAgMDAgMDAgMDAgMDAgMDAgMDAgMDAgMDAgMDAgMDAgMDA,MDAgMDAgMDAgMDAgMDAgMDAgMDAgMDAgMDAgMDAgMDAgMDAgMDAgMDAgMDAgMDA,MDAgMDAgMDAgMDAgMDAgMDAgMDAgMDAgMDAgMDAgMDAgMDAgMDAgMDAgMDAgMDA,NTAgNEIgMDMgMDQgMTQgMDAgMDEgMDAgMDAgMDAgMzIgOUYgN0MgNTMgMkQgMEQ,NDYgNkMgMkYgMDAgMDAgMDAgMjMgMDAgMDAgMDAgMDggMDAgMDAgMDAgNjYgNkM,NjEgNjcgMkUgNzQgNzggNzQgMjcgMEEgNTcgM0QgMDEgOUUgMjYgMDIgQUUgN0U,REMgQjIgMTkgQjYgNDEgNUUgQzkgMzUgM0YgMDEgQkMgNjIgNEMgOUUgN0QgRUE,OUYgMDUgNEQgMDcgMUIgOTEgMkYgODMgNDUgNTIgRUYgREEgOTQgRjMgNjYgNDM,Q0IgQjYgMTggRkEgQjAgNTAgNEIgMDEgMDIgM0YgMDAgMTQgMDAgMDEgMDAgMDA,MDAgMzIgOUYgN0MgNTMgMkQgMEQgNDYgNkMgMkYgMDAgMDAgMDAgMjMgMDAgMDA,MDAgMDggMDAgMjQgMDAgMDAgMDAgMDAgMDAgMDAgMDAgMjAgMDAgMDAgMDAgMDA,MDAgMDAgMDAgNjYgNkMgNjEgNjcgMkUgNzQgNzggNzQgMEEgMDAgMjAgMDAgMDA,MDAgMDAgMDAgMDEgMDAgMTggMDAgNDkgNkMgRUEgMjEgNEYgRTQgRDcgMDEgMjQ,MEEgMTUgODQgNEYgRTQgRDcgMDEgMjYgNDMgQkYgMTYgNEYgRTQgRDcgMDEgNTA,NEIgMDUgMDYgMDAgMDAgMDAgMDAgMDEgMDAgMDEgMDAgNUEgMDAgMDAgMDAgNTU,MDAgMDAgMDAgMDAgMDA" 
a = str.split(',') 
for i in range(len(a)): 
    flag = "" 
    flag = base64.b64decode(a[i]).decode("utf-8") 
print(flag)

img

最后得到一个zip

img

john跑一下shadow即可,密码为:e10adc3949ba59abbe56e057f20f883e

flag(welcome_to_the_codemonsterCTF}

Crypto

一顿午饭

img

培根密码,把阿替换成A,巴替换成B,即可

img

flag{peigenbuhaochi}

高等数学

img

高数题。。。。学长的字真好看

img

(1)

$$\lim\limits_{x \to 0}\frac{sinx-tanx}{(^3\sqrt{1+x^2}-1)(\sqrt{1+sinx}-1)}$$

img

(2)

$$\lim\limits_{x \to 0}\frac{tanx-sinx}{x^3}$$

img

(3)

$$\lim\limits_{x \to 0}\frac{tanx-x}{x-sinx}$$

img

(4)

$$\lim\limits_{x \to 1}\frac{x-x^x}{1-x+\ln{x}}$$

img

(5)

$$\lim\limits_{x \to 0}x^{\sin{x}}

flag{-3-1/2-2-2-1}

flag{-3-0.5-2-2-1}

线性代数

img

(1)

$$\begin{vmatrix}
1 & 2 & 3 \
3 & 1 & 2 \
2 & 3 & 1 \
\end{vmatrix}$$

$$111+333+222-312-231-231=18$$

(2)

$$\begin{pmatrix}
1 & 1 & 2 \
1 & -1 & 0 \
\end{pmatrix}
\begin{pmatrix}
3 & 4 \
5 & 4 \
2 & 7 \
\end{pmatrix}$$

img

easy_rsa

给出q、p、c、e

1
2
3
4
q= 9961202707366965556741565662110710902919441271996809241009358666778850435448710324711706845973820669201482939820488174382325795134659313309606698334978471
p= 12525187149887628510447403881107442078833803097302579419605689530714690308437476207855511625840027119860834633695330551080761572835309850579517639206740101
c= 99825057183614908787750492272634823904256549969848320330845017733290231024958858406831408456826620972650757755414065865320048636359693704223195650116200245278927814135297919980128020846659999925380668668207081398871867586714713412635145486121523684408692869804472866624405914184425850720049825033051018623742
e = 65537

这题不难,求出n,在求出d就可以了

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
import gmpy2
q=
99612027073669655567415656621107109029194412719968092410093586667788504354487103
24711706845973820669201482939820488174382325795134659313309606698334978471
p=
12525187149887628510447403881107442078833803097302579419605689530714690308437476
207855511625840027119860834633695330551080761572835309850579517639206740101
c=
99825057183614908787750492272634823904256549969848320330845017733290231024958858
40683140845682662097265075775541406586532004863635969370422319565011620024527892
78141352979199801280208466599999253806686682070813988718675867147134126351454861
21523684408692869804472866624405914184425850720049825033051018623742
e = 65537
n = q * p
d = gmpy2.invert(e,(p-1)*(q-1))
m = pow(c,d,n)
print(hex(m))

img

flag{xmut_sec_rsa_fun}

在社会主义下的base家族

img

主要考查社会主义编码(SC+999999999999999999999999999999999999999)

解出来得:SFJ4Ukw3a3drcDlvNUFNZ1NMeDFGVjVNcmZkYUFqYXc5RVBqaVBrTlFtelBj

这串为base64,然后根据题意base大家族,base1-100,全部解一遍,最后解码方式base58->base85->base92

img

flag{family_is_base}

对称加密

科普:常见的对称加密有DES、AES、RC、Rabbit

这里题目用到的是DES-ECB方式

压缩包解压后得到

img

ook!编码,解得密码为:crypto,解压后分别扫码

img

Code1为:BuB+pJN5H0UFTZ02R+

Code2为:IMCYZ0YvimZWU49h8Nh2IXyPtB6YdfmlV7V79/VxVzw+bx

密码为:XMUTSEC

img

最后解得:flag{this_a_des_code}

探索中世纪城堡

img

题目描述(要素察觉)

1
2
xxxxxxxxxx 年轻的大帝率领着64位皇珈骑士冲破了双重阻栏夺下了城池。
ReX7vPFqQd9nOYXfQN9zt2XftYvrQeFhRPJxsO53teJlv259

凯撒解密后得到

1
fa{usrb_oXaga_aoaglgsbciet_inwndmwn}

最后栏数设置为2即可

flag{subscribe_to_Xiangwan_damowang}

XMUTCTF 2021 Writeup 0x1

https://iloli.moe/2021/10/27/XMUTCTF-2021-Writeup-0x1/

Author

IceCliffs

Posted on

2021-10-27

Updated on

2024-11-19

Licensed under

#

Like this article? Support the author with

Comments

Follow

Links

Archives

Tags

CTF18
CVEs2
Computer Network2
Crypto1
DN421
HAM5
HackTheBox3
Hacking7
Hardware4
Java Security1
Music1
OS3
Pwn1
Red Team3
Tetris1
WEB31
Web Security4
Writeup13
pwn1
开箱1
随笔10

Categories

Recents

×